It's a common business case in most of the applications that need to upload to file(s) to server or database.
so in this article, I want to discuss/share about how to tackle insecure file upload scenarios.
Type of file uploading scenarios
- Static file(s) directly upload to server(on-premise or cloud)
- Static file converts to Base 64 String and Upload to Database
both of these scenarios if on-premise/cloud server or database not scanning malicious files then those are entered into the server.
scenarios like our personal PC or office PC antivirus system not detecting real-time, these malicious files can spread when uploading those to the server.
What are the good hygiene practices for our PC
- Using up to date antivirus system.
- Or if you don't have third-party AV software Can use Windows Defender software.
If still, our PC doesn’t have 3rd party AV software or WD software or current antivirus not detecting properly. then when we try to upload a file, if it contains malicious content same disaster can happen.
so at this moment, we have to think about workflows to avoid such disasters
Scan file(s) options for the virus before uploading to the server that can integrate to inside the application.
- Using ClamAV Antivirus software solution (Free and Open Source Software)
- Before upload to server exact path upload to a temporary location in the server.
- Using CLI wrappers for virus scan.
okay we now focus on to how to implement each solution
Clam AV
This sample Github project will show how to use ClamAv in ASP.NET MVC solution
TempLocation in Server
Normally in servers have antivirus software installed, so before upload to the exact physical location, if upload to a temporary location, then server antivirus software can do a real-time scan. after the scan, if it's not a malicious file then those files can move to the exact location.
CLI Wrappers
This sample GitHub project showing how to use CLI wrappers to integrate for the solutions using various antivirus software.
Windows Defender Usage example for windows defender:
class Program
{
static void Main(string[] args)
{
Console.WriteLine("Press enter to scan");
Console.ReadLine();
var sw = Stopwatch.StartNew();var exeLocation = @"C:\Program Files\WindowsDefender\MpCmdRun.exe";
var fileToScan = @"D:\ML\wildfire.exe";var scanner = new WindowsDefenderScanner(exeLocation);
var result = scanner.Scan(fileToScan, 10000);
sw.Stop();Console.WriteLine(result);
Console.WriteLine($"Completed scan in {sw.ElapsedMilliseconds}ms");
Console.WriteLine("Press any key to exit.");
Console.ReadKey();
}
}
likewise, other antivirus software can use like following
Avast Usage example for Avast (ashcmd is shipped in paid versions only)
var exeLocation = @"C:\Program Files\AVAST Software\Avast\ashcmd.exe";
var scanner = new AvastScanner(exeLocation);
var result = scanner.Scan(@"C:\virus.txt");
Console.WriteLine(result);AVG Usage example for AVG (avgscanx.exe is x86, avgscana.exe is x64)
var exeLocation = @"C:\Program Files (x86)\AVG\Av\avgscanx.exe";
var scanner = new AVGScanner(exeLocation);
var result = scanner.Scan(@"C:\virus.txt");
Console.WriteLine(result);Eset Usage example for ESET
var exeLocation = @"C:\Program Files\ESET\ESET Endpoint Antivirus\ecls.exe";
var scanner = new EsetScanner(exeLocation);
var result = scanner.Scan(@"C:\virus.txt");
Console.WriteLine(result);If your antivirus software not listed above you can approach them via their forum or helpline.
Windows Defenders comes as default installed software in Windows Servers, So If you're using Windows server can use windows defender approach for the scan process.
If there anything I miss in this article please share it with me on the comment section, we discuss more this, looking forward to your feedback :)
